Discussion on: Check for newer versions of dependencies in pom.xml

View post

I recommend to use the versions-maven-plugin like this:

mvn versions:display-dependency-updates

In particular related to using spring boot including the bom file you can configure the versions-maven-plugin to limit the output on the bom updates instead of the deps updates itself...
mojohaus.org/versions/versions-mav...

Eduardo Issao Ito • May 16 '24

These have slightly different behavior.

The plugin will complain about all spring-boot dependencies, even if only spring-boot-starter-parent have a explicit version declared:

[INFO]   org.springframework.boot:spring-boot-configuration-processor ...
[INFO]                                                           2.7.3 -> 3.2.5
[INFO]   org.springframework.boot:spring-boot-devtools ......... 2.7.3 -> 3.2.5
[INFO]   org.springframework.boot:spring-boot-starter-actuator ...
[INFO]                                                           2.7.3 -> 3.2.5
[INFO]   org.springframework.boot:spring-boot-starter-aop ...... 2.7.3 -> 3.2.5
[INFO]   org.springframework.boot:spring-boot-starter-test ..... 2.7.3 -> 3.2.5
[INFO]   org.springframework.boot:spring-boot-starter-validation ...
[INFO]                                                           2.7.3 -> 3.2.5
[INFO]   org.springframework.boot:spring-boot-starter-web ...... 2.7.3 -> 3.2.5
[INFO]   org.springframework.data:spring-data-mongodb .......... 3.4.2 -> 4.2.5

My script will only report on version differences if a dependency has a version explicitly declared in pom files. Only the spring-boot-starter-parent would be reported:

org.springframework.boot:spring-boot-starter-parent:2.7.3 [3.2.5]

Karl Heinz Marbaise • May 18 '24

The issue is that you used the plugin based on no configuration... instead of correctly configuring it:

      <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>versions-maven-plugin</artifactId>
        <configuration>
          <processDependencyManagement>true</processDependencyManagement>
          <processDependencyManagementTransitive>false</processDependencyManagementTransitive>
          <processDependencies>false</processDependencies>
          <processPluginDependencies>false</processPluginDependencies>
          <processPluginDependenciesInPluginManagement>false</processPluginDependenciesInPluginManagement>
        </configuration>
        <executions>
          <execution>
            <id>bommajor</id>
            <goals>
              <goal>display-dependency-updates</goal>
            </goals>
            <configuration>
              <allowMajorUpdates>true</allowMajorUpdates>
              <allowMinorUpdates>true</allowMinorUpdates>
              <allowIncrementalUpdates>true</allowIncrementalUpdates>
            </configuration>
          </execution>
          <execution>
            <id>bomminor</id>
            <goals>
              <goal>display-dependency-updates</goal>
            </goals>
            <configuration>
              <allowMajorUpdates>false</allowMajorUpdates>
              <allowMinorUpdates>true</allowMinorUpdates>
              <allowIncrementalUpdates>true</allowIncrementalUpdates>
            </configuration>
          </execution>
          <execution>
            <id>bompatch</id>
            <goals>
              <goal>display-dependency-updates</goal>
            </goals>
            <configuration>
              <allowMajorUpdates>false</allowMajorUpdates>
              <allowMinorUpdates>false</allowMinorUpdates>
              <allowIncrementalUpdates>true</allowIncrementalUpdates>
            </configuration>
          </execution>
        </executions>
      </plugin>

Based on the above configuration you can now call:

mvn versions:display-dependency-updates -N -ntp

That will printout only the updates for the bom's only ... or direct dependencies:

$> mvn versions:display-dependency-updates -N -ntp
[INFO] Scanning for projects...
[INFO] 
[INFO] ---------------< com.soebes.spring.example:demo-project >---------------
[INFO] Building Employee Demo Application 0.0.1-SNAPSHOT
[INFO]   from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- versions:2.16.2:display-dependency-updates (default-cli) @ demo-project ---
[INFO] The following dependencies in Dependency Management have newer versions:
[INFO]   nl.jqno.equalsverifier:equalsverifier ............... 3.14.1 -> 3.16.1
[INFO]   org.assertj:assertj-bom ............................. 3.24.2 -> 3.25.3
[INFO]   org.junit:junit-bom ............................... 5.9.3 -> 5.11.0-M2
[INFO]   org.mockito:mockito-bom .............................. 5.3.1 -> 5.12.0
[INFO]   org.springframework.boot:spring-boot-dependencies ...
[INFO]                                                       3.0.6 -> 3.3.0-RC1
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  0.425 s
[INFO] Finished at: 2024-05-18T15:59:39+02:00
[INFO] ------------------------------------------------------------------------
$> mvn versions:display-dependency-updates@bomminor -N -ntp
[INFO] Scanning for projects...
[INFO] 
[INFO] ---------------< com.soebes.spring.example:demo-project >---------------
[INFO] Building Employee Demo Application 0.0.1-SNAPSHOT
[INFO]   from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- versions:2.16.2:display-dependency-updates (bomminor) @ demo-project ---
[INFO] The following dependencies in Dependency Management have newer versions:
[INFO]   nl.jqno.equalsverifier:equalsverifier ............... 3.14.1 -> 3.16.1
[INFO]   org.assertj:assertj-bom ............................. 3.24.2 -> 3.25.3
[INFO]   org.junit:junit-bom ............................... 5.9.3 -> 5.11.0-M2
[INFO]   org.mockito:mockito-bom .............................. 5.3.1 -> 5.12.0
[INFO]   org.springframework.boot:spring-boot-dependencies ...
[INFO]                                                       3.0.6 -> 3.3.0-RC1
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  0.422 s
[INFO] Finished at: 2024-05-18T15:59:51+02:00
[INFO] ------------------------------------------------------------------------
$> mvn versions:display-dependency-updates@bompatch -N -ntp
[INFO] Scanning for projects...
[INFO] 
[INFO] ---------------< com.soebes.spring.example:demo-project >---------------
[INFO] Building Employee Demo Application 0.0.1-SNAPSHOT
[INFO]   from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- versions:2.16.2:display-dependency-updates (bompatch) @ demo-project ---
[INFO] Assuming allowMajorUpdates false because allowMinorUpdates is false.
[INFO] Assuming allowMajorUpdates false because allowMinorUpdates is false.
[INFO] Assuming allowMajorUpdates false because allowMinorUpdates is false.
[INFO] Assuming allowMajorUpdates false because allowMinorUpdates is false.
[INFO] Assuming allowMajorUpdates false because allowMinorUpdates is false.
[INFO] The following dependencies in Dependency Management have newer versions:
[INFO]   nl.jqno.equalsverifier:equalsverifier ............... 3.14.1 -> 3.14.3
[INFO]   org.springframework.boot:spring-boot-dependencies .... 3.0.6 -> 3.0.13
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  0.437 s
[INFO] Finished at: 2024-05-18T15:59:59+02:00
[INFO] ------------------------------------------------------------------------

Eduardo Issao Ito • May 24 '24

Wow, it's a non-trivial configuration... No wonder I didn't find it in the documentation. Thanks for sharing.